Friday, 4 September 2015

11 Offensive Security Tools for SysAdmins

Offensive security tools are used by security professionals for testing and demonstrating security weakness. Systems Administrators and other IT professionals will benefit from having an understanding of at least the capabilities of these tools. Benefits include preparing systems to defend against these types of attacks and being able to identify the attacks in the case of an incident.

This selection of tools when utilized by a moderately skilled attacker has the potential to wreak havoc on an organizations network.

If you are interested in testing these tools they are all available to download and use for FREE. Most are open source with a couple of exceptions. They should not be used against systems that you do not have permission to attack. You could end up in jail.

The mitigations listed for each tool are high level pointers to techniques that a systems administrator should consider for defending against these powerful tools. Further information can be found at the project sites for each of the tools.

Note that while some of the recommendations may appear to be common sense; far too often the basics are overlooked.

1.Metasploit Framework – an open source tool for exploit development and penetration testing Metasploit is well known in the security community. Metasploit has exploits for both server and client based attacks; with feature packed communication modules (meterpreter) that make pwning systems fun! The framework now includes Armitage for point and click network exploitation. This is the go to tool if you want to break into a network or computer system.

Defending against Metasploit:

Keep all software updated with the latest security patches.

Use strong passwords on all systems.

Deploy network services with secure configurations.

2.Ettercap – a suite of tools for man in the middle attacks (MITM). Once you have initiated a man in the middle attack with Ettercap use the modules and scripting capabilities to manipulate or inject traffic on the fly. Sniffing data and passwords are just the beginning; inject to exploit FTW!

Defending against Ettercap:

Understand that ARP poisoning is not difficult in a typical switched network.

3.sslstrip – using HTTPS makes people feel warm, fuzzy and secure. Using sslstrip this security can be attacked, reducing the connection to an unencrypted HTTP session, whereby all the traffic is readable. Banking details, passwords and emails from your boss all in the clear. Even includes a nifty feature where the favicon on the unencrypted connection is replaced with a padlock just to make the user keep that warm and fuzzy feeling.

Defending against sslstrip:

Be aware of the possibility of MITM attacks (arp, proxies / gateway, wireless).

Look for sudden protocol changes in browser bar. Not really a technical mitigation!

4.evilgrade – another man in the middle attack. Everyone knows that keeping software updated is the way to stay secure. This little utility fakes the upgrade and provides the user with a not so good update. Can exploit the upgrade functionality on around 63 pieces of software including Opera, Notepad++, VMware, Virtualbox, itunes, quicktime and winamp!It really whips the llamas ass!

Only perform updates to your system or applications on a trusted network.

5.Social Engineer Toolkit – makes creating a social engineered client side attack way too easy. Creates the spear phish, sends the email and serves the malicious exploit. SET is the open source client side attack weapon of choice.

Defending against SET:

User awareness training around spear phishing attacks.

Strong Email and Web filtering controls.

6.sqlmap – SQL Injection is an attack vector that has been around for over 10 years. Yet it is still the easiest way to get dumps of entire databases of information. Sqlmap is not only a highly accurate tool for detecting sql injection; but also has the capability to dump information from the database and to even launch attacks that can result in operating system shell access on the vulnerable system.

Defending against sqlmap:

Filter all input on dynamic websites (secure the web applications).

Use mod_proxy or other web based filtering controls to help block malicious injection attacks (not ideal as often able to bypass these web application firewalls (WAF).

7.aircrack-ng – breaking holes in wireless networks for fun and profit. A suite of tools that enables all manner of wireless network attacks.

Defending against aircrack-ng:

Never use WEP

When using WPA2 with pre-shared keys, ensure passwords are strong (10+ characters non-dictionary based passwords).

8.oclHashcat – Need to get some passwords from the hashes you grabbed with sqlmap? Use this tool to bust them open. Over 48 different hashing algorithms supported. Will use the GPU (if supported) on your graphics card to find those hashes many times faster than your clunky old CPU.

Defending against oclHashcat:

Passwords are the weakest link. Enforce password complexity.

Protect the hashed passwords.

Salt the hashes.

9.ncrack – Brute force network passwords with this tool from Fyodor the creator of Nmap. Passwords are the weakest link and Ncrack makes it easy to brute force passwords for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Defending against ncrack:

Use strong passwords everywhere.

Implement time based lockouts on network service password failures.

10.Cain and Abel – Cracking passwords, sniffing VOIP and Man in the Middle (MITM) attacks against RDP are just a few examples of the many features of this Windows only tool.

11.Tor – push your traffic through this onion network that is designed to provide anonymity to the user. Note your traffic from the exit node is not encrypted or secured. Make sure you understand what it does before using it, Tor provides anonymity not encrypted communication.

Defending against Tor:

It is possible to implement blocking of Tor exit nodes on your firewall, if Tor traffic is linked to a threat to your environment.

If you are interested in testing these offensive security tools you should take a look at the BackTrack Linuxdistribution. It includes many of these and other tools pre-installed.

These tools are used by security professionals around the world to demonstrate security weakness.

Only experiment on your local network where you have permission.Do not do anything stupid. You could end up in jail.